Hospitals and health care agencies have had to manage an influx of Covid-19 patients while dealing with supply crunches, creating a hectic work environment. Scammers and hackers have leveraged the confusion to target hospitals, seeking to profit off the chaos.

It puts the onus on health care organizations’ cybersecurity and fraud protections. Understanding the measures that a business has in place can allow the board to better grasp the investment required to protect it from an oversight that could cost millions. Many health care companies haven’t taken these steps.

In 2018, researchers found that the cost of data breaches targeting the health care industry accounted for $6 billion in costs across the industry each year. A security breach at a hospital results in a $7 million loss, on average, which could include fines, litigation or a damaged reputation. Despite these figures, “the health care industry lags behind other industries in securing its data,” wrote the Massachusetts Institute of Technology researchers.

As coronavirus cases have multiplied, first responders and their organizations became targets.

In April, Interpol warned that hackers, using ransomware, targeted hospitals as the virus response was reaching its nadir. Ransomware allows someone to lock a computer network until a ransom is paid by the organization. “If these facilities were to be infected by ransomware, there would be greater impact, especially at this time,” Craig Jones, Interpol’s director of cybercrime, told The Wall Street Journal.

The warning has resulted in real-life financial cost. An Illinois public health system paid $350,000 to a hacker to unlock its network in March.

While a crisis isn’t the best time to address the issues, it can serve as a wake-up call for boards that don’t focus on cybersecurity and fraud concerns.

The MIT researchers found that 30% of hospital boards do not include cybersecurity within risk management oversight. “Pressure from the board of directors appears to be essential in creating substantive cyber resiliency,” wrote the researchers.

It’s not just hacks that health care firms must worry about. The FBI found a union was duped into believing that 39 million masks were discovered to aid health care workers. No such masks existed. Instead the union was caught in a massive scam, which included numerous middlemen unaware the masks weren’t real. But hospitals such as Kaiser Permanente and Sutter Health had planned to order millions of the masks.

Boards can’t predict what scam fraudsters will develop next, but they can ensure protections are in place. These will not only shield the business, but also patients and the front-line workers the country relies on.